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Abstract. We present Las Vegas algorithms for constructive recognition and 
constructive membership testing of the Ree groups 2 G2(g) = Ree(g), where 
q = 3 2m +! for some m > 0, in their natural representations of degree 7. The 
input is a generating set X C GL(7, q). 

The constructive recognition algorithm is polynomial time given a dis- 
crete logarithm oracle. The constructive membership testing consists of a pre- 
processing step, that only needs to be executed once for a given X, and a main 
step. The latter is polynomial time, and the former is polynomial time given 
a discrete logarithm oracle. 

Implementations of the algorithms are available for the computer algebra 
system MAGMA. 



1. Introduction 

This paper will consider algorithmic problems for a class of finite simple groups, 
as matrix groups over finite fields, given by sets of generators. The most important 
problems under consideration are the following: 

(1) The constructive membership problem. Given G = (X) GL(<i, q) and 
g G U G, decide whether or not g 6 G, and if so express g as a straight 
line program in X. 

(2) The constructive recognition problem. Given G = (X) ^ GL(c£, q), con- 
struct an effective isomorphism from G to a standard copy H of G, to- 
gether with an effective inverse isomorphism. An isomorphism ip : G — > H 
is effective if ip(g) can be computed efficiently for every g e G. 

In [I] we considered these problems for the Suzuki groups. Here we consider 
the Ree groups 2 G2(<z) = Ree(g), q = 3 2m + 1 for any m > 0. We only consider 
the natural representations, which have dimension 7. Our standard copy is Ree(g), 
defined in Section [3] 

The primary motivation for considering these problems comes from the matrix 
group recognition project [31 [521 HH] • 

The ideas used here for the constructive recognition and membership testing of 
Ree(g) are similar to those used in [1] and [11] for Sz(g) and SL(2, q), respectively. 
The results are also similar in the sense that we reduce these problems to the 
discrete logarithm problem. 

In Section 14.21 we solve the constructive membership problem for Ree(q). In 
Section |4~31 we consider conjugates of Ree(g) and show how to construct effective 
isomorphisms to Kee(q), hence solving constructive recognition in the natural rep- 
resentation. 

The main objective of this paper is to prove the following: 

Theorem 1.1. Let o- (d) be the number of divisors of d £ N. Assume an oracle for 
the discrete logarithm problem in ¥ q , with time complexity O(xd) field operations, 
and a random element oracle for subgroups ofGL(7,q), with time complexity 0(£) 
field operations. 
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• There exists a Las Vegas algorithm that for each (X) ^ GL(7, q), with 
q = 3 2m+1 for some m > 0, such that (X) = Ree(g), constructs an effec- 
tive isomorphism $ : (X) — > Ree(g), such that , I /_1 is also effective. The 
algorithm has expected time complexity 0(£ loglog(<7) + log(<7)(ero(log((?)) + 
log(g)) + xd) field operations. 

• There exists a Las Vegas algorithm that for each (X) ^ GL(7, q), with 
q = 3 2m+1 for some m > 0, such that (X) = Ree(g), solves the constructive 
membership problem for (X). The algorithm has expected time complexity 
0(£ + log(g) 3 ) field operations and also has a pre-processing step, which 
only needs to be executed once for a given X , with expected time complexity 
0((£loglog(q) + log(g) 3 + xd) loglog(g) 2 ) field operations. The length of 
the returned SLP is 0(log(g) log log(q) 2 ). 

Implementations of the algorithms have been done in Magma [6]. 

A version of the material in this paper appeared in [2J, relying on a few conjec- 
tures. Advice by Bill Kantor and Gunter Malle has led to proofs of the conjectures, 
for which we are very grateful. In particular, the central idea behind the algorithm 
in Section H~31 is due to Bill Kantor. 

We thank John Bray, Peter Brooksbank, Alexander Hulpke, Charles Leedham- 
Green, Eamonn O'Brien, Maud de Visscher and Robert Wilson for their helpful 
comments. 

2. Preliminaries 
We will now briefly discuss some general concepts that are needed later. 

2.1. Complexity. Time complexity is measured in field operations. Basic matrix 
arithmetic requires 0(1) field operations. Raising a matrix to an 0(g) power requires 
0(log<7) field operations, for example using [321 Lemma 10.1]. 

We never need to compute large precise orders of matrices. It is sufficient to com- 
pute pseudo-orders [5J Section 8]. This can be done using JTU], in 0(log(g) log log(q)) 
field operations. 

We shall assume an oracle for the discrete logarithm problem in ¥ q [33| Chapter 
3], requiring 0(xd) field operations. 

2.2. Straight line programs. For constructive membership testing, we want to 
express an element of a group G = (X) as a straight line program in X, abbreviated 
to SLP. An SLP is a data structure for a word, which allows for efficient computations 
[321 Section 1.2.3]. 

2.3. Random group elements. Our algorithms need to construct (nearly) uni- 
formly distributed random elements of a group G = (X) ^ GL(<i, q). The algorithm 
of [1] solves this task in polynomial time, but it is not commonly used in practice. 
The product replacement algorithm of [5] also solves this task. It is fast in practice 
and polynomial time |29j . 

We shall assume that we have a random element oracle, which produces a uni- 
formly random element of (X) using 0(£) field operations, and returns it as an SLP 
in X. 

An important issue is the length of the SLPs that are computed. The length 
of the SLPs must be polynomial, otherwise evaluation would not be polynomial 
time. We assume that SLPs of random elements have length O(n) where n is the 
number of random elements that have been selected so far during the execution of 
the algorithm. 

In [23] . a variant of the product replacement algorithm is presented that con- 
structs random elements of the normal closure of a subgroup. This will be used 
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here to construct random elements of the derived subgroup of a group (X), using 
the fact that this is precisely the normal closure of ([x, y] : x, y € X). 

2.4. Probabilistic algorithms. The algorithms we consider are probabilistic of 
the type known as Las Vegas algorithms. This type of algorithm is discussed in [THl 
Section 3.2.1]. We present Las Vegas algorithms in the same way as in pQ. 

2.5. Recognition of PSL(2,g). In [TT], an algorithm for constructive recognition 
and constructive membership testing of PSL(2, q) is presented. 

We will use [11] since PSL(2,<?) arise as a subgroup of Ree(g). Because of this, 
we state the main result here. 

Theorem 2.1. Assume an oracle for the discrete logarithm problem in ¥ q . There 
exists a Las Vegas algorithm that, given (X) ^ GL(d, q), which acts absolutely 
irreducibly and cannot be written over a smaller field, with (X) = PSL(2, q) and 
q = p e , constructs an effective isomorphism ip : (X) — > PSL(2, q) and performs pre- 
processing for constructive membership testing. The algorithm has expected time 
complexity 

0((£ + d 3 log(g) loglogV)) loglog(g) + d 5 a (d) \X\ + d XD + $(d)d) 
field operations. 

The inverse of ip is also effective. Each image of tp can be computed using 
0(d 3 ) field operations, and each pre-image using 0(d 3 log(g) loglog(g) + e 3 ) field 
operations. After the algorithm has executed, constructive membership testing of 
g G GL(d, q) requires 0(g? 3 log(g) loglog(<7) + e 3 ) field operations, and the resulting 
SLP has length O(log(g) loglog(g)). 

2.6. Notation. Some notation will be fixed throughout the paper. 

• For a group G and a prime p, let O p (G) denote the largest normal p- 
subgroup of G. 

• If G acts on a set O and P £ O, then Gp denotes the stabiliser in G of P. 

• Let q = 2 2m+1 , where m > 0, be the size of the finite field ¥ q . Let t = 3 m — 
\/3q and let ui be a fixed primitive element of ¥ q . 

• Let 



antidiag(xi, . . . , 27) 



For a module Mora matrix g, we denote the symmetric square of M or g 
by S 2 (M) and S 2 (g), respectively. 

The time complexity in field operators for an invocation of a random ele- 
ment oracle on a group G will be denoted £. 

The time complexity in field operators for an invocation of a discrete loga- 
rithm oracle on F 9 will be denoted \d- 

We will use do as defined in Theorem ll.il Note that from [T31 pp. 64, 359, 262] 
for every e > 0, if d is sufficiently large, then a (d) < 2< 1+e ) i°ge(d)/i°giog e (d)_ 
For a vector space V, we denote the corresponding projective space by 
P(V). 

We denote the standard n-dimensional vector space over ¥ q by F™, and the 
corresponding projective space by P n (¥ q ). 
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3. The small Ree groups 



The small Ree groups were first described in [3011311 . An elementary construction 
is given in [35j Chapter 4]. 

3.1. Definition and properties. We now define our standard copy of the Ree 
groups. The generators we use are those described in [2D]. For ieF, and A € F* , 
define the matrices 
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(3.2) 



h(X) = diag(A*, A 1 '*, A 24 " 1 , 1, A 1 " 24 , A 4 ' 1 , A"*) 
T = antidiag(— 1, —1, —1, —1, —1, —1, —1) 
and define the Ree group as 

Ree(q) = (a(x),(3(x), 1 {x),h{X),T \xe¥ q ,Xe F ? x ) . 
Also, define the subgroups of upper triangular and diagonal matrices: 
U(q) = (a{x),0{x),7{x) \x e¥ q ) 



H(q) = {h(\)\\eF*}=F*. 
From [25] we know that each element of U (q) can be expressed uniquely as 



(3.3) 



(3.4) 
(3.5) 

(3.6) 

(3.7) 
(3.8) 



S(a, b, c) = a(a)/3(b)j(c) 

so U(q) = {S(a,b,c) \ a, b, c € ¥ q }, and it follows that \U(q)\ = q 3 
Sylow 3-subgroup of Ree(g), and direct calculations show that 

S(a 1 ,b 1 ,c 1 )S(a 2 ,b 2 ,c 2 ) = 

= S(ai + a 2 , bi + b 2 - aid?,*, C\ + c 2 — a 2 bi + aia 3 ,^ 1 — a\a%), 
S(a, b, c)- 1 = S(-a,-(b + a 3t+1 ), -{c + ab- a 3t+2 )), 
S{ ai ,b u ci) s ^' h ^ - 

= ^(ai, 61 — aia 2 l + a^ 31 , c\ + a\b 2 — 0261 + a\c? 2 tJrl — a 2 a 3t+1 - 



(3.9) 

Also, U(q) is a 

(3.10) 
(3.11) 

■ a\af + a 2 af) 
(3.12) 
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and 

S(a, b, c) hW = S{X 3t - 2 a, A 1_3t 6, A~ x c). (3.13) 

It follows that Ree(g) = (S(l, 0, 0), h(uj), T), and these are our standard gen- 
erators. The group preserves a symmetric bilinear form on F^, represented by the 
matrix 

J = antidiag(l, 1, 1,-1, 1, 1, 1) (3.14) 
From [31], [T51 Chapter 11] and [35J Chapter 4] we obtain the following. 

Proposition 3.1. Let G — Ree(q). 

(1) \G\ = q 3 {q 3 + l)(q - 1) where gcd{q 3 + 1, q - 1) = 2. 

(2) Conjugates of U(q) intersect trivially. 

(3) T/ie centre Z(t/(g)) = {5(0, 0, c) | c G FJ. 

(4) T/ie derived group U(q)' = {S(0,b,c) | b, cG F g }, and iis elements have 
order 3. 

(5) TTie elements in U(q) \ U{q)' = {S(a,b,c) \ a ^ 0} /la-ue order 9 and f/ieir 
CM&es /orm Z(U(q)) \ (1) . 

(6) Nc(U(q)) = U(q)H(q) and G acts doubly transitively on the right cosets of 
Ng{U (q)), i.e. on a set of size q 3 + 1. 

(7) U(q)H(q) is a Frobenius group with Frobenius kernel U(q). 

(8) The proportion of elements of order q — 1 in U(q)H(q) is ip(q — l)/(a — 1). 
where cf> is the Euler totient function. 

(9) N G (H(q)) = (h(uj),T) =B 2{q . iy 

For our purposes, we want another set to act (equivalently) upon. 

Proposition 3.2. There exists O C P 6 (F g ) on which G = Ree(q) acts faithfully 
and doubly transitively. Namely, 

O ={(0 : : : : : : 1)}U 

{(1 : a* : : (abf - c l : -b - a 3t+1 - (acf : -c - (bcf - a 3t + 2 - alb 21 : 



*- - b t+1 + a 4t+2 - c 2t - a 3t+1 6* - (abcY)} 



a c 



(3.15) 



Moreover, the stabiliser of = (0:0:0:0:0:0:1) is U(q)H(q), the stabiliser 
of Pq = (1:0:0:0:0:0:0) is (U(q)H(q)) T and the stabiliser of (P^Po) is 
H(q). 

Proof. Notice that O \ {Poo} consists of the first rows of the elements of U (q)H(q). 
From Proposition 13.11 it follows that G is the disjoint union of U(q)H(q) and 
U(q)H(q)TU{q)H{q). Define a map between the G-sets as (U(q)H(q))g M> P^g. 

If g G U(q)H(q) then P^g — P^ and hence the stabiliser of P^ is U(q)H(q). If 
g £ U{q)H{q) then g = xTy where x, y £ U(q)H(q). Hence P^g — P y G O since 
Poy is the first row of y. It follows that the map defines an equivalence between the 
G-sets. □ 

Proposition 3.3. Let G = Ree(g). 

(1) The stabiliser in G of any two distinct points of O is conjugate to H(q), 
and the stabiliser of any triple of points has order 2. 

(2) The number of elements in G that fix exactly one point is q 6 — 1. 

(3) All involutions in G are conjugate in G. 

(4) An involution fixes q + 1 points. 

Proof. (1) Immediate from QH Chapter 11, Theorem 13.2(d)]. 
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(2) A stabiliser of a point is conjugate to U(q)H(q), and there are \0\ conju- 
gates. The elements fixing exactly one point are the non-trivial elements 
of U(q). Therefore the number of such elements is \0\ (\U(q)\ — 1) = (q 3 + 

i)(9 3 -i) = (g 6 -i). 

(3) Immediate from [TH1 Chapter 11, Theorem 13.2(e)]. 

(4) Each involution is conjugate to 

h(-l) = diag(-l, 1, -1, 1, -1, 1, -1). 

Evidently, h(-l) fixes since h(-l) e H(q). If P = (pi : • • • : p 7 ) G O 
with pi 0, then P is fixed by h(— 1) if and only if p2 — Pa = pe = 0. But 
then P is uniquely determined by p^, so there are q possible choices for P. 
Thus the number of points fixed by h{— 1) is q + 1. 

□ 

We shall need the following general result, whose easy proof we omit. 

Lemma 3.4. Let g G G ^ GL(<i, F), where d is odd, and F a finite field, and 
assume that G preserves a non- degenerate bilinear form and dct (g) = 1. Then g 
has 1 as an eigenvalue. 

Proposition 3.5. All cyclic subgroups of G = Ree(q) of order q — 1 are conjugate 
to H(q) and hence each is a stabiliser of two points of O. 

Proof. Let G = (g) ^ G be cyclic of order q — 1 and let p be an odd prime such 
that p | q — 1. Then there exists k S 1 such that \g k | = p. Since q 3 + 1 = 2 (mod p) 
and \g k \ > 2, the cycle structure of g k on O must be a number of p-cycles and 2 
fixed points P and Q. Since G is doubly transitive there exists x € G such that 
Px = Poo and Qx = Pq. 

Now either g fixes P and Q or interchanges them, so g x £ Ng(H (q)) = (H(q), T) = 
D 2 ( 9 _i). Hence (g x ) = H{q), the unique cyclic subgroup of order q— 1 in (H(q), T). 

□ 

Proposition 3.6. Let G — Ree(q) and let (f> be the Euler totient function. 

(1) The centraliser of an involution j € G is isomorphic to (j) x PSL(2, q) and 
hence has order q(q 2 — 1). 

(2) The number of involutions in G is q 2 (q 2 — q + 1). 

(3) The number of elements in G of order q ~ 1 is <fi(q — l)q 3 (g 3 + l)/2. 

(4) The number of elements in G of even order is q 2 (7q 5 - 23<? 4 + 8g 3 + 23g 2 - 
39g + 24)/24. 

(5) The number of elements in G that fix at least one point is q 2 (q 5 — q +3q 2 — 
5q + 2)/2 

Proof. (1) Immediate from [TgJ Chapter 11]. 

(2) All involutions are conjugate, and the index in G of the involution cen- 

traliser is q3{ ^ ) _%~ 1) =q 2 (q 2 -q+l). 

(3) By Proposition 13.51 each cyclic subgroup of order q — 1 is a stabiliser of 
two points and is uniquely determined by the pair of points that it fixes. 
Hence the number of cyclic subgroups of order q — 1 is (^) = 9 o +1 ^ ■ 
By Proposition 13.31 the intersection of two distinct subgroups has order 2, 
so the number of elements of order q — 1 is the number of generators of all 
these subgroups. 

(4) By [25l Lemma 2], every element of even order lies in a cyclic subgroup 
of order q — 1 or (q + l)/2. In each cyclic subgroup of order q — 1 there 
is a unique involution and hence {q — 3)/2 non-involutions of even order. 
Similarly, there are (q — 3)/4 non-involutions in a cyclic subgroup of order 
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(q + l)/2. By Proposition 13.51 the total number of elements of even order is 
therefore 

(q - 3)(q 3 + l)q 3 /4 + (q - 3)(q - l)(q 2 - q + l)q 3 /24 + q 2 (q 2 - q + 1) 

= q 2 {7q 5 - 23q 4 + 8q 3 + 23q 2 - 39q + 24) /24 (3.16) 

(5) The only non-trivial elements of G that fix more than 2 points are in- 
volutions. Hence in each cyclic subgroup of order q — 1 there are q — 3 
elements that fix exactly 2 points, so by Proposition 13.31 the number of 
elements that fix at least one point is q 6 + t 1 ?" 3 )^ -f q 2 [q 2 — q + 1) = 

g 2 (g 5 -3 4 +3g 2 -5g+2) 
2 

□ 

Proposition 3.7. A maximal subgroup of G = Kee(q) is conjugate to one of the 
following subgroups: 

• Ng(E/(<z)) = U(q)H(q), the point stabiliser, 

• Cq(J) = (j) x PSL(2,g), the centraliser of an involution j, 

• Ng(A ) = (C2 x C2 x J 4 ):C6, where A ^ Ree(q) is cyclic of order (q + 
l)/4, 

• Ng(Ai) = A±: Cq, where A\ ^ Ree(g) is cyclic of order q + 1 — Zt, 

• Ng(^42) — A2: Ce, where A2 ^ Ree(g) is cyclic of order q + 1 + 3t, 

• Ree(s) where q is a proper power of s. 

Moreover, all maximal subgroups except the last are reducible. 

Proof. The structure of the maximal subgroups follows from [3T] and [3S]. Hence 
it is sufficient to prove the final statement. 

Clearly the point stabiliser is reducible. By Proposition 13.31 j is conjugate to 
h(— 1) = diag (—1, 1, —1, 1, —1, 1, —1) so it has two eigenspaces Sj and Tj for 1 and 
— 1 respectively. Clearly dimS , J - = 3 and diruTj = 4. 

Let v G Sj and g G PSL(2, q). Then (vg)j = (vj)g = vg since g centralises j and 
j fixes v, which shows that vg € Sj, so this subspace is fixed by PSL(2, q). Similarly, 
Tj is also fixed. Hence Sj and Tj are submodules and the involution centraliser is 
reducible. 

Let H be a normaliser of a cyclic subgroup and let x be a generator of the 
cyclic subgroup that is normalised. Since G < SO(7,g), by Lemma 13.41 x has an 
eigenspace E for the eigenvalue 1, where E is a proper non-trivial subspace of V. 
If v € E and h G H, then (vh)x h = vh so that vh is fixed by (x h ) — (x). This 
implies that vh G E and thus E is a proper non-trivial -ff-invariant subspace, so H 
is reducible. □ 

Proposition 3.8. Let G = Ree(g) with natural module V , let j G G be an involu- 
tion and let C — Cc(i)- 

(1) C"^PSL(2,q) 

(2) V\c> = V 3 8 V4 where dim^ = i. 

(3) V3 and V4 are absolutely irreducible. Moreover, V4 = S"^ ® S 1 awe? V3 = 
5 2 (S') where S is the natural module ofPSL(2,q), (j) is the Frobenius auto- 
morphism and 1 i < k ^ 2m + 1. 

(4) When j = h(— 1), the forms preserved on V3 andV^ are Jz = antidiag(l, — 1, 1) 
cm<i J4 = antidiag(l, 1, 1, 1), up to scalar multiples. 

Proof. (1) Immediate from Proposition 13. 71 

(2) From the proof of Proposition 13. 71 we see that V \c has submodules V3 and 
V4, so this is also true of V\c>, since C' = PSL(2, q). 
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(3) Let C3 = PSL(2,g) be the group acting on V3. Since PSL(2,g) has no 
irreducible module of dimension 2, if V3 is reducible, it must have three 
1-dimcnsional constituents. But PSL(2,g) is simple, so 03(63) = 1, hence 
V3 = 1® 1®1. By [Ml Theorem 4.4], the 1-dimensional representations must 
be trivial, so C3 = 1. But this is clearly false, since [T, h(iS)] £ Cc(h(~ 1))' 
and acts non-trivially on its corresponding 3-dimensional submodule. 

Similarly, let C4 be the group acting on V4, and assume it is reducible. 
Then V4 = 1 © V3, where V 3 ' is irreducible of dimension 3 and the 1- 
dimensional module is trivial. This implies that every g £ C4 has 1 as 
an eigenvalue. Again, [T, h(to)] provides a contradiction. 

The result follows from the structure of irreducible modules of PSL(2, q) 
® §30]. 

(4) Clearly if V = (ei,...,e 7 ) then V 3 = (e 2 ,e 4 ,e 6 ) and V4 = (ei, e 3 , e s , e 7 ). 
The form J then restricts to J4 = antidiag(l, 1, 1, 1) on V4 and J3 = 
antidiag(l, —1, 1) on V3. 

□ 

Proposition 3.9. Let G = Ree(g) and let C — Cg(j') for some involution j 6 G. 
LetN = N n (7,,)(C"). Then [N : C] = 2. 

Proof. By Proposition 13. 81 C" = PSL(2, 5), its module splits up as a 3-space and a 
4-space, and C acts diagonally on these submodules. The normaliser must preserve 
this decomposition, and from Proposition 13.81 it is clear that the form preserved on 
the 4-space is of +-type, so N embeds in £1(3, q) x £l + (4, q). Let C3 and 7V3 be the 
images of C and on the 3-space. Define C4 and analogously. 

Now |n(3,«)| = |PSL(2, 9 )|, so [N s ■ C 3 ] = 1. Since n+(4,g) S SL(2, q) o SL(2, q) 
[551 Chapter 4], it acts as a tensor product on the 4-space. By Proposition 13. 8[ C 
acts diagonally as a tensor product on the 4-space. Clearly, the only element in 
il + (4, q) \ C4 which can normalise C4 is the central element —1, so [7V4 : C4] = 2. 
This proves the result. □ 

Proposition 3.10. Let G — Ree(g) and let C — Cg(j') where j = h(—l) E G is 
the diagonal involution. A symmetric bilinear form preserved by C' has a matrix 
representation of the form antidiag(l, a, 1, —a, 1, a, 1) for some a € (F x ) 2 . 

Proof. By Proposition l3.8l the module V of C' splits up as V3©14 where dim Vi = i 
and the preserved forms on these submodules are J3 = antidiag(l, —1, 1) and J4 = 
antidiag(l, 1, 1, 1). These are unique up to scalar multiples since the modules are 
absolutely irreducible. Since V3 and V4 are also eigenspaces for j, they must be 
orthogonal complements of each other for every form preserved by C". 

Hence the matrix of an arbitrary form J7 on V, preserved by C", must be the 
anti-diagonal join, with rows interchanged accordingly, of aJ 3 and /3Ji, for some 
a, (3 € F£ . These are determined up to scalar multiples, so we can choose a and 
(3 as squares in ¥ q . But now the matrix J7 is also only determined up to a scalar 
multiple, so we can choose (3=1. This proves the result. □ 

Lemma 3.11. If g 6 G = Ree(g) is uniformly random, then 

7n 2 — Qn — 24 

Pr[|<?| even] = q q + > 1/4 (3.18) 
Pr[ 5 fixes a point] = Z^+jg + g_ ^ 1/2 (3.19) 
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Proof. In each case, the first equality follows from Proposition 13.61 and Proposition 
13.11 In the first case, the inequality follows from [251 Section II. 8], and in the other 
cases the inequalities are clear since q ^ 27. □ 

Corollary 3.12. In Ree(g), the expected number of random selections required to 
obtain an element of order q — 1 is O (log log g). Similarly, the expected number of 
random selections required obtain an element that fixes a point, or an element of 
even order, is 0(1). 

Proof. Clearly the number of selections is geometrically distributed, where the suc- 
cess probabilities for each selection are given by Lemma \'3. Ill Hence the expecta- 
tions are as stated. □ 

Proposition 3.13. Elements in Ree(g) of order prime to 3, with the same trace, 
are conjugate. 

Proof. From |34j . the number of conjugacy classes of non-identity elements of order 
prime to 3 is q - 1. Observe that for A G F*, Tr(,S(0,0, l)Th(X)) = A* - 1 and 
|S'(0,0,l)T/i(A)| is prime to 3 if also A ^ -1. 

Moreover, h(— 1) has order 2 and trace —1 so there are q — 1 possible traces for 
non-identity elements of order prime to 3, and elements with different trace must 
be non-conjugate. Thus all conjugacy classes must have different traces. □ 

We omit the proof of the following well-known result. 

Proposition 3.14. Let G = PSL(2,q). Ifx,y£ G are uniformly random, then 

Pt[(x, y)=G] = l- O(a (\ O g(q))/q) (3.20) 

The following result is analogous to [TJ Proposition 5.1], so the proof is omitted. 

Proposition 3.15. If g\,g% G U(q)H(q) are uniformly random and independent, 
then 

Pr[|[ 5l)52 ]| =9] = 1- -i— - (3.21) 
9-1 

3.2. Alternative definition. The definition of Ree(g) that we have given is the 
one that best suits most of our purposes. However, to deal with some aspects of 
constructive recognition, we need the more common definition. 

Following [35J Chapter 4], the exceptional group G2(q) is constructed by con- 
sidering the Cayley algebra O (the octonion algebra), which has dimension 8, and 
defining G2(q) as the automorphism group of O. Thus each element of G2(q) fixes 
the identity and preserves the algebra multiplication, and it follows that G2(q) is 
isomorphic to a subgroup of £1(7, q). 

Furthermore, when q is an odd power of 3, G2(q) has a certain outer automor- 
phism, sometimes called the exceptional outer automorphism, whose set of fixed 
points forms a group, and Ree(g) = 2 G2(g). 

4. Algorithms 

Here we present the algorithms mentioned in the introduction. We first give an 
algorithm to identify our standard copy, which is needed later. 

Theorem 4.1. There exists a Las Vegas algorithm that, given (X) ^ GL(7, q), 
decides whether or not (X) = Ree(g). The algorithm has expected time complexity 
0(cro(log(g))(|A'| + log(q))) field operations. 

Proof. Let G = Ree(q). The algorithm proceeds as follows: 

(1) Determine if X C G: all the following steps must succeed in order to con- 
clude that a given g G X also lies in G. 
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(a) Determine if g £ Q(7, q), which is true if det g = 1, if gJg T — J, where 
J is given by (I3.14j) . and if the spinor norm of g is 0. The spinor norm 
is calculated using [27j Theorem 2.10]. 

(b) Determine if g £ G2 (q) , which from Section l3~2"l is true if g preserves the 
octonion algebra multiplication •. Hence test if (e^ • ej)g = (eig) ■ (ejg) 
for each i,j — 1, . . . , 7, where M = (ei, . . . , ei) is the natural module 
of G2(q). The multiplication table for • can be pre-computed using [351 
Chapter 4] . 

(c) Determine if g is a fixed point of the exceptional outer automorphism 
of G2{q), mentioned in Section 13.21 Computing the automorphism 
amounts to extracting a submatrix of the exterior square of g and 
then replacing each matrix entry x by x 3 . 

(2) Determine if (X) is a proper subgroup of G, or equivalently if (X) is con- 
tained in a maximal subgroup. By Proposition 13.71 it is sufficient to de- 
termine if (X) can be written over a smaller field or if (X) is reducible. 
This can be done using the algorithms described in [T^] and the MeatAxe 

nansi. 

The first step takes 0(|X| log(g)) field operations. The expected time of the 
algorithms in [12] and of the MeatAxe is O(oo(l°g(g))(| V|+log(g))) field operations. 
Hence our recognition algorithm has the stated expected time, and it is Las Vegas 
since the MeatAxe is Las Vegas. □ 

4.1. Finding an element of a stabiliser. Let G = Kec(q) = (X). The algorithm 
for constructive membership testing needs to obtain independent random elements 
of Gp, for a given point P, as SLPs in X. This is straightforward if, for any pair of 
points P,Q £ O, we can construct g £ G as an SLP in X such that Pg = Q. 

We first give an overview of the algorithm. The general idea is to obtain an 
involution j & G by random search, and then compute Ca(j) = (j) xPSL(2, q) using 
[8]. The given module restricted to the centraliser splits up as in Proposition 13.81 
and the points P,Q £ O restrict to points P3, Q3 in the 3-dimensional submodulc. 
If the restrictions satisfy certain conditions, then we can write down g £ Cg(j') that 
maps P3 to Q3, and obtain g as an SLP in the generators of Cg(j') using the maps 
from Theorem 12.11 With high probability, we can then multiply g by an element 
that fixes P3 so that it also maps P to Q. A discrete logarithm oracle is needed 
in that step. When using [5], we can easily keep track of SLPs of the centraliser 
generators, hence we obtain g as an SLP in X. 

By Corollary 13.121 it is easy to find elements of even order by random search, 
which we can power up to obtain involutions. 

To use [8] we need an algorithm that determines if the whole centraliser has been 
generated. Since its derived group should be PSL(2,g), by Proposition 13. 14| with 
high probability it is sufficient to compute two random elements of the derived 
group. Random elements of the derived group can be obtained as described in 
Section [231 

Let us now describe the algorithm in more detail. First we fix some notation. 

• jeG = (X) = Rce(q) is an involution, and C = Co(j) = (V), 

• V = V s 8 Va is the module of C" 

• ipv ■ V —¥ V3 is the natural projection homomorphism, 

• ipo ■ P(V r ) — > P(Va) is the induced projective map, 

• ipo '■ GL(7,q) — > GL(3,<7) is the corresponding homomorphism of group 
elements and C3 = ipa{G'), 

• 7T3 : PSL(2, q) — > GL(3, q) is the symmetric square map, so ir^ : g H> S 2 (g), 

• pc ■ C*3 — > PSL(2,q) is the map to the standard copy from Theorem 12. 11 
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• 7T7 : C3 — > C is calculated by first using pa to map an element to the 
standard copy, then expressing at as an SLP, which is then evaluated on Y. 

• C3 is a change-of-basis from V3 to S 2 (A) , where A is the natural module of 
PSL(2,<j). Hence C3 3 = Im7r 3 . 

Clearly, an application of the MeatAxe on V provides a change-of-basis which 
allows us to set up the maps Lpv, <£o and <Pg- An application of Theorem 12.11 on 
C3 allows us to set up the maps tt^ and n^, and to obtain C3. 

4.1.1. Constructing a mapping element. We now consider the algorithm that con- 
structs elements that map one point of O to another. If we identify A as (x) © (y) 
for indeterminates x, y, then we can identify the module U = P(S 2 (A)) with the 
space of quadratic forms in x and y modulo scalars, so that U = {x 2 ) {xy) © (y 2 )- 
Then C3 3 acts projectively on U and \U\ = |P(F 3 )| = |P 2 (F 9 )| = (q 3 - l)/(g- 1) = 
q 2 +q + 1. 

Proposition 4.2. Under the action of H — C3 3 , the set U splits into 3 orbits. 

(1) The orbit containing xy, i.e. the non- degenerate quadratic forms that rep- 
resent 0, which has size q(q + l)/2. 

(2) The orbit containing x 2 + y 2 , i.e. the non-degenerate quadratic forms that 
do not represent 0, which has size q(q — l)/2. 

(3) The orbit containing x 2 ( and y 2 ), i.e. the degenerate quadratic forms, which 
has size q + 1. 

The pre-image in SL(2, q) of pG((H xy ) c 3 ) is dihedral of order 2(q — 1), generated 
by the matrices 



~w 




' 1" 


u- 1 


and 


-1 



(4.1) 



Proof. This is elementary theory of quadratic forms, except that we work projec- 
tively. 

□ 

Proposition 4.3. Use the notation above. 

(1) The number of points of O that are contained in Ker(<y9y) is q+ 1. 

(2) Let P € O be uniformly random. The probability that P (jt Ker((y9y), and 
that tpo(P)c3 is both non- degenerate and represents is at least 1/2 + 

0(1/9). 

Proof. (1) The map <py projects onto V3, so the kernel consists of those vectors 
that lie in V4. From the proof of Proposition 13. 71 with respect to a suitable 
basis, V4 is the — 1-eigenspace of h(— 1). Hence by an argument similar to the 
proof of Proposition 13. 3[ a point P — (p%, . . . ,p?) € V4 if P2 = Pa = Pe = 
and there are q + 1 such points in O. 
(2) Since P is uniformly random and ipo is chosen independently of P, it follows 
that ipo(P) is uniformly random from <po(0). Without loss of generality 
we can take C3 to be the identity. Using the notation above, ipo(P) = 
P2X 2 + p^xy + pey 2 , which is degenerate if P2 — 0. This happens with 
probability (q + l)/(q 2 + 1). If P2 7^ 0, then P tf. Kei((pv), and we can then 
express the point as tpo(P) = x 2 + bxy + cy 2 where (1 : b : c) is uniformly 
distributed in P 2 (F g ). It is degenerate if b 2 — c = 0, which happens with 
probability 1/q. If it is not degenerate, it represents when b 2 — c is a square 
in F g , which happens with probability 1/2. The result follows. 

□ 

The algorithm that maps one point to another is given as Algorithm [TJ 



12 



HENRIK BAARNHIELM 



Algorithm [T] FindMappingElement(A, P, Q) 

1 Input: Generating set X for G = Ree(g), H — G3. 

Points P ^ Q £ O such that P. Q <t Ker(ipv), and <po(P) and <fo{Q) are 
non-degenerate and represent 0. 

2 Output: <?2 G G, written as an SLP in X, such that P<?2 = Q- 

3 P 3 := (^o(P)c 3 ; Q3 ■= fo(Q)c3 

4 Construct upper triangular g 6 PSL(2, g) such that P 3 7r 3 (g) = Q 3 

5 i? 3 := ^ (P7r 7 (7r 3 (.g) c 3 ))c 3 

6 // Now P 3 = Q 3 

7 Construct c G GL(3, g) such that (xy)c = P 3 

8 Let D be the image in PSL(2, q) of the diagonal matrix in (|4.1|) 

9 s ^tttM-D)^" 1 ) 

10 //Now (s) ^ip-^HR,) 

11 (5, z := DlAGONALISE(s) 

12 //Now<5 = s 2 

13 if 3 A e F ? x such that (P7r 7 (7r 3 (.g) c 3 1 )z)h(X) = Qz 

then 

14 i := DiscreteLog(i5, h(Xj) 

15 // Now 5 i = h(X) 

16 return iriiTr^gY 3 )s l 
end 

17 return fail 



4.1.2. Constructing a stabilising element. Let G = (X), P G be given. The 
complete algorithm that constructs a random element of Gp proceeds as follows. 

(1) Find a random involution j e G. 

(2) Compute generators Y for G = Cg(j) using [5], and generators for C' as 
described in Section [231 

(3) Use the MeatAxe to verify that the module for C' splits up only as in 
Proposition 13.81 

(4) Return to the first step if P lies in the kernel of tpv , if fo (P)c 3 is degenerate, 
or if it does not represent 0. 

(5) Use Theorem l2.1l to verify that we have the whole of G' and to set up maps 
listed at the start of of Section |4~T1 Return to the second step if this fails. 

(6) Take random gi 6 G and let Q = Pg\. Repeat until P ^ Q, Q does not lie 
in the kernel of <pv and <^e>(G:)c 3 is not degenerate and represents 0. 

(7) Use Algorithm Q] to find g% e C' such that Q = P<?2- Return to the previous 
step if it fails, otherwise return g\g% ■ 

4.1.3. Correctness and complexity. 

Lemma 4.4. Let P 3 , Q3 G ipo(0) be non- degenerate and represent 0. There exists 
g G PSL(2,g) such that the pre-image of g in SL(2,g) is upper triangular and 

Proof. Without loss of generality, we can take c 3 = 1. Since P 3 and G/ 3 are non- 
degenerate, P 3 = x 2 + axy + by 2 and Q 3 = x 2 + Ixy + ny 2 where (1 : a : b) and 
(l:l:n) are in P 2 (F 9 ). Also, 

_ u v 
9 ~ [0 l/u 

where u, v G ¥ q and u ^ 0. 



(4.2) 
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We want to determine u,v such that P-K^(g) = Q. Note that g is the pre-image 
in SL(2, q) of an element in PSL(2, q) and therefore ±u determine the same element 
of PSL(2, q). The map tt^ is the symmetric square map, so 

,2 



U —UV V 

13(5) =0 1 v/u 

l/u 2 

This leads to the following equations: 

,2 



(4.3) 



u = C (4.4) 
-uv + a = Cl (4.5) 
v 2 + avu' 1 + bu~ 2 = Cn (4.6) 

for some C € F * . We can solve for it in (|4.4[) and for w in (|4.5[) , so that (|4.6|) 
becomes 

C 2 (n-l 2 ) + a 2 -6 = (4.7) 

This quadratic equation has a solution if the discriminant (I 2 — n)(a 2 — b) £ (F*) 2 . 
But the latter is true since both (a 2 — b) and (I 2 — n) are non-zero squares. The 
result follows. □ 

Theorem 4.5. If Algorithm^ returns an element gi, then Pg% — Q. If P and Q 
are chosen as in Section [A.\.2\ then the probability that Algorithm^ finds such an 
element is at least 1/2 + 0(l/g). 

Proof. By Proposition 14.21 the point R3 is in the same orbit as xy, so the element 
c at line [7] can easily be found by diagonalising the form corresponding to R3. 
Let H = C3. Then 7r 3 (_D) cc 3 £ Hr 3 has order (q — l)/2. Hence s also has order 
(q- l)/2, and s e ^(H^). 

We choose Q such that there exists g\ £ C with Pgi = Q. If we let 33 = ^(g) 133 , 
with g as in the algorithm, and R = ^717(^3), then R^7{g^)^ 1 gi = Q and ipo(R) — 
R3 = Q3- Hence ^G^ig^gi) & Hq 3 , and therefore n 7 (g 3 )" 1 g 1 £ ip^}(H R3 ). 

By Proposition 14.21 lpq}(Hr 3 ) is dihedral of order q — 1, and s generates a 
subgroup of index 2. Therefore Pr^^) -1 ^! e (s)} = 1/2, which is the success 
probability of line H31 

It is straightforward to determine if A exists, since h(X) is diagonal. Hence the 
success probability of the algorithm is as stated. □ 

Theorem 4.6. Assume an oracle for the discrete logarithm problem in ¥ q . The 
time complexity of Algorithm^ is 0(log(g) 3 + Xd) field operations. The length of 
the returned SLP is 0(log(q) loglog(g)). 

Proof. By Lemma 14.41 line [4] involves solving a quadratic equation in ¥ q , and hence 
uses 0(1) field operations. Evaluating the maps tt^ and tt 7 uses 0(log((j) 3 ) field 
operations, and it is clear that the rest of the algorithm can be done using 0(xd) 
field operations. 

By Theorem l2.11 the length of the SLP from the constructive membership testing 
in PSL(2, q) is 0(log(g) loglog(g)), which is therefore also the length of the returned 
SLP. □ 

Corollary 4.7. Assume an oracle for the discrete logarithm problem in ¥ q . There 
exists a Las Vegas algorithm that, given (X) GL(7, q) such that G — (X) — 
Ree(g) and P £ O, constructs a random element of Gp as an SLP in X. The 
expected time complexity of the algorithm is 0(£ log log(q) + log(g) 3 + xd) field 
operations. The length of the returned SLP is 0(log(g) loglog(q)). 
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Proof. The algorithm is given in Section 14.1.21 

An involution is found by obtaining a random element of even order and then 
raising it to an appropriate power. Hence by Corollary 13.121 the expected time to 
find an involution is 0(£ + log(g) loglog(q)) field operations. 

By [121 Theorem 7], we can use [5] to obtain generators of the centraliser, using 
0(1) field operations. As described in Section [2.31 we can obtain uniformly random 
elements of its derived group. By Proposition 13.141 two random elements will gen- 
erate PSL(2, q) with high probability. This implies that the expected time to obtain 
generators for PSL(2, q) is 0(1) field operations. 

By Proposition ^. 21 Q is equal to P with probability 2/(q(q+l)). By Proposition 
14.31 P has the required properties with probability 1/2, and similarly for Q, so the 
expected time of the penultimate step is 0(1) field operations. 

Since P and Q can be considered uniformly random and independent in Algo- 
rithm [TJ the element returned by that algorithm is uniformly random. Hence the 
element returned by the algorithm in Section 14.1.21 is uniformly random. 

The expected time complexity of the last step is given by Theorem 14.51 and 
14.61 It follows from the above argument that the expected time complexity of the 
algorithm in Section 14.1.21 is as stated. 

The algorithm is clearly Las Vegas, since it is straightforward to check that the 
element we compute fixes the point P. □ 

4.2. Constructive membership testing. We now describe the constructive mem- 
bership algorithm for our standard copy Ree(q). Given a set of generators A, such 
that G = (A) = Ree(q), and given g £ G, we want to express g as an SLP in A. To 
decide if g £ G, we use the first step of the algorithm in Theorem 14. II 

The general structure of the algorithm mirrors the corresponding algorithm for 
the Suzuki groups [T]. It consists of a pre-processing step and a main step. 

4.2.1. Pre-processing. The pre-processing step constructs "standard generators" for 
Os(Gp ao ) = U(q) and Oz(Gp a ). For Os(Gp x ) the standard generators are matrices 

{S(a u x t , yi )YU U {S(0, b l: m)}^ U {S(0, 0, Ci )} t " =1 (4.8) 

for some unspecified Xi,yi, Zi £ ¥ q , such that {oi, . . . , a n }, {b\, . . . , 6„}, {c\, . . . , c„} 
form vector space bases of ¥ q over F3 (so n = log 3 q = 2m +1). The standard 
generators for O3(Gp ) are analogous. 

We shall need the following elementary result, which we state without proof. 

Lemma 4.8. There exist algorithms for the following row reductions. 

(1) Given g = h(X)S(a,b,c) £ Gp^, construct x £ O3 (Gp^) expressed as an 
SLP in the standard generators, such that gx = h(X). 

(2) Given g — S(a,b,c)h(X) £ Gp^. construct x £ O^^Gp^) expressed as an 
SLP in the standard generators, such that xg = h(X). 

(3) Given P^ ^ P £ O, construct g £ 03(Gp oo ) expressed as an SLP in the 
standard generators, such that Pg = Pq. 

The SLPs of the constructed elements have length 0(log(g)). The algorithms have 
time complexity 0(log(g) 3 ) field operations. Analogous algorithms exist for Gp . 

Theorem 4.9. Given an oracle for the discrete logarithm problem in ¥ q , the pre- 
processing step is a Las Vegas algorithm that constructs standard generators for 
03(Gp oo ) andOz(Gp ) asSLPsinX of length O(log(q)(\og\og(q)) 2 ). It has expected 
time complexity 0((£ loglog(g) + log(gr) 3 + xd) loglog(q)) field operations. 

Proof. The pre-processing algorithm consists of the following steps: 

(1) Obtain random 01,02 £ Gp^ and 61,62 £ Gp using the algorithm from 
Corollary S3 Let ci = [01,02], c 2 = [61,62]- 
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(2) Determine if there exists d\ £ {ai, 02} that can be diagonalised to h(X) £ G, 
where A £ F* does not lie in a proper subfield of ¥ q . Similarly determine 
existence of a d,2 from b\ and 62- Determine if |ci| = |c2 1 = 9. Return to the 
first step if any of these tests fail. 

(3) As standard generators for O3 (Gp^) we take U = Ux U U2 where 

2m+l 

Ux = [J K 1 '^) 4 } ( 4 - 9 ) 

i=l 

^2 = |J {[cfvf 1 ]} (4.10) 

From C2 and c?2 we similarly obtain standard generators L for O3 (Gp ) 

It follows from (j3~T0| and (j3~l~3| that [/ is of the form (|4~8]l . Similarly, L has the 
correct form. Since the <Zj and 6, are expressed as SLPs in X, this is also true for 
the elements of U and L. 

By Corollary 14.71 the expected time to find and 6, is 0(£ loglog(q) + log(g) 3 + 
Xd), and these are uniformly distributed independent random elements. The ele- 
ments of order dividing q — 1 can be diagonalised as required. By Proposition 13.11 
the proportion of elements of order q — 1 in Gp^ and Gp is <j)(q — l)/(q — 1). 

It is straightforward to determine if at or 6, diagonalise to some h(X), since they 
are triangular. To determine if A lies in a proper subfield, it is sufficient to determine 
if |A| I 3 n — 1, for some proper divisor n of 2m + 1. 

Hence by Proposition 13.151 the expected time for the first two steps is 

0((£loglog(g) + log(q) 3 + X d) loglog(o)) 

field operations. 

By the remark preceding the theorem, U determines three sets of field elements 
{ax,.-., a 2m +i}, {61, . . . , b 2m +i} and {cx, . . ■ ,c 2m+ i}. By (|3. 13[) . in this case each 
a, = aA\ bi = 6A l ' t+2 ) and Cj = cA^ t+3 \ for some fixed a, 6, c € , where A is as in 
the algorithm. Since A does not lie in a proper subfield, these sets form vector space 
bases of F g over F3. Hence U and L are standard generators and the algorithm is 
Las Vegas. 

□ 

4.2.2. Main algorithm. We now present the algorithm to express an arbitrary g E G 
as an SLP. It is given as Algorithm [21 

4.2.3. Correctness and complexity. 

Theorem 4.10. Algorithm® is correct, and is a Las Vegas algorithm. 

Proof. First observe that since r is randomly chosen, we obtain it as an SLP. 

The elements z\ and z 2 can be constructed using Lemma 14.81 so we can obtain 
them as SLPs. 

The element u constructed at line Q2] clearly has trace x. Because u can be 
computed using Lemma 14.81 we obtain it as an SLP. From Proposition 13.131 wc 
know that u is conjugate to h(X) ±1 , for some A £ F^ , and therefore fixes two points 
of O. Hence the elements found at lines 1161 and 1171 can be computed using Lemma 
14.81 so we obtain them as SLPs. 

Finally, the elements that determine w have been constructed as SLPs, and it is 
clear that if we evaluate w we obtain g. Hence the algorithm is Las Vegas and the 
theorem follows. □ 

Theorem 4.11. Algorithm ® has expected time complexity 0(£ + log(q) 3 ) field 
operations and the length of the returned SLP is 0((log(q) loglog(q)) 2 ). 
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Algorithm^ ElementToSLP([7, L, g) 

1 Input: Standard generators U for Gp^ and L for Gp Q . Matrix g E (X) = G. 

2 Output: SLP for g in X 

3 repeat 



4 repeat 

5 r := Random(G) 

6 until gr has an eigenspace Q £ and P ^ Q 

7 Construct zi € Gp^ using U such that Qzi = Po- 

8 // Now {gr) z * € Gp 

9 Construct 22 G Gp using L such that (gr) Zl Z2 = /i(A) for some A G F* 

10 x := Tr(h(X)) 

11 until x — 1 is a square in F* 



12 // Express diagonal matrix as SLP 

13 Construct u = 5(0, 0, ^(x - 1) 3 *)5'(0, 1, 0) T using U U L 

14 // Now Tr(u) = x 

15 Let Pi, Pi £ O be the fixed points of u 

16 Construct a E Gp x using £/ such that Pi a = Po 

17 Construct 6 6 Gp using L such that (p2a)6 = P^ 

18 // Now u ab € G Poo n G Po = P(g), so w ab e |^(A) ±1 } 

19 if u ab = h(X) 



then 

20 Let w be the SLP for {u ah z^ 1 )^ r~ l 

21 return w 
else 

22 Let w be the SLP for ((u ab )- 1 z^ 1 )**' r' 1 

23 return w 



end 



Proof. It follows immediately from Lemma 14.81 that lines [§J Q21 HU and [TTJ use 
0(log(g) 3 ) field operations. 

From Corollary 13.121 the expected time to find r is 0(£) field operations. Half 
of the elements of F* are squares, and x is uniformly random, hence the expected 
time of the outer repeat statement is 0(£ + log(g) 3 ) field operations. 

Obtaining the fixed points of u, and performing the check at line [5] only amounts 
to considering eigenvectors, hence uses 0(\ogq) field operations. Thus the expected 
time complexity of the algorithm is 0(£ + log(g) 3 ) field operations. 

From Theorem [L9] each standard generator SLP has length 0(log(g)(log log(g)) 2 ) 
and hence w has length 0((log(q) log log(g)) 2 ). □ 

4.3. Conjugates of the standard copy. Assume that we are given a conjugate 
G of Ree(g). We consider the problem of constructing g £ GL(7, q) such that 
G 9 = Ree(g), thus obtaining an algorithm that constructs effective isomorphisms 
from any conjugate of Ree(g) to the standard copy. 

Theorem 4.12. Assume an oracle for the discrete logarithm problem in ¥ q . There 
exists a Las Vegas algorithm that, given a conjugate G = (X) ofHee(q), constructs 
g G GL(7, q) such that (X) 9 = Ree(g) = S. The algorithm has expected time 
complexity 0(£ loglog(<7) + log(g)(cTo(log(<7)) + log(q)) + \d) field operations. 

Proof. We prove the result by exhibiting the algorithm. Let V = (ei, . . . , e~j) be the 
given module. 
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(1) Find a random involution jc € G. Let jg = h(—l) E S. By Corollary 13. 121 
the expected time is 0(£ + log(g) loglog(<7)). 

(2) Compute generators for Cg(j'g) using [5], and generators for C G — GgUg)' 
by taking commutators of the generators of CqUg)- Observe that Cs(js) = 
(T, h{uj), S(0, 1, 0)) and similarly compute generators for C s = Cs(js)'- 
Similarly as in the proof of Corollary 14.71 the expected time is 0(1). 

(3) Use the MeatAxe to decompose the module of C G into its direct summands 
V G and V G of dimension 3 and 4. Decompose the module of C into V3 = 
(e2, e4, eg) and Vf = (ei, e$, e§, ei). Hence obtain change-of-bases cq and cs 
which exhibit the direct sums, with the 3-dimensional submodules coming 
first. Let C G and C G be the projections of C G acting on the 3-space and 
4-space, respectively, and similarly define C§ and Cf. Since we have 0(1) 
generators for C G and C s , the expected time is 0(log(g)). Note that we also 
obtain a bijection between the generators of C G and C G or C G , respectively, 
and similarly for C s . 

(4) Use Theorem 12.11 to constructively recognise C G and Cf and obtain stan- 
dard generators Y G and Y£ for these groups as SLPs in the input gen- 
erators. Evaluate the SLPs on the generators of C G and C s and use cq 
and cs to project the resulting matrices to the 3-spaces. Hence also ob- 
tain standard generators Y G and Y$ for C G and C§ . The expected time is 
0((f + log(g)loglog(g))loglog(g) +*£>). Note that |r 4 G | = \Y G \ = \Y?\ = 
\Y S \ 

I 3 |- 

(5) Let A be the natural module of PSL(2,g). By Proposition ET51 Vf = 

s (g> A® s , for some 1 $J is < ks ^ 2rn + 1, where <fr is the Frobenius 
automorphism. Similarly, V G = A^ G ® A^ G . Use the MeatAxe together 
with Yf and Yf to obtain 1 ^ fc < 2m + 1 such that Vf = (Vf)^ k . 
Hence obtain a change-of-basis C4 between these. Then (C G ) Ci — Cf. The 
expected time is 0(log(g) 2 ). 

(6) Similarly, use the MeatAxe together with Y G and Y3 to construct a change- 
of-basis c 3 from Kp to {Vf)^ . Then (Cf) C3 = Cf. The expected time is 
0(log(r,)). 

(7) Let C7 be the diagonal join of C3 and C4. Let c = c^c^ 1 . Then (C G ) C = Cs- 

(8) Now C5 < G c n S*, so G c must preserve a form which is preserved by Cs- 
Use the MeatAxe to construct the form K preserved by G c . By Proposition 
13.101 K = antidiag(l, a, 1, — a, 1, a, 1) for some a £ (IF*) 2 , up to a scalar 
multiple. Let x = y/a and cj = diag(l, x, 1, 1, x, 1) € Cs. Then G CCJ 
preserves the form J. The expected time is 0(1). 

(9) Now G CCJ < n(7, q) and C s < G CCJ . By Proposition C s is contained in 
at most two 17(7, ^-conjugates of S, so G CCJ = S" with probability at least 
1/2. Use Theorem l4.1l to test this. The expected time is 0(<Jo(\og(q)) log(<7)). 

If any of the tests or Las Vegas algorithms used fail, we start again from the begin- 
ning. In total, the expected time complexity is 0(£ loglog((7) + log(<7)(cr (log(g)) + 
log(q)) + xd) field operations. This proves the result. □ 

4.4. Main theorem. 

Proof of Theorem IJ.il The algorithm providing follows from Theorem l4.121 Since 
'J and are just conjugations, they can be computed using 0(1) field operations, 
so they are effective. 

Constructive membership testing in Ree(g) follows from Theorem 14. 91 and Algo- 
rithm [5J For constructive membership testing in (X) we first map the element to 
Ree(q) using 'J, then express it as an SLP. □ 
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5. Implementation and performance 

Implementations of the algorithms are available in Magma. The implementa- 
tions use the existing Magma implementations of the algorithms described in [8] , 

0, us, m, pi and Hang. 

We have benchmarked the computation of generating sets for stabilisers, in other 
words most of the algorithm from Theorem 14.91 This is shown in Figure 15.11 For 
each field size q — 3 2m+1 , generating sets for stabilisers of 100 random points were 
computed, and the average running time for each call is listed. The amount of this 
time that was spent in discrete logarithm computations outside [11] , SLP evaluations 
and in [TT] is also indicated. Note that the algorithm of [TT] also uses a discrete 
logarithm oracle. 

When 2m + 1 has a "small" prime divisor, finite field arithmetic in F g in Magma 
is particularly fast. This is because Magma uses Zech logarithms for finite fields 
up to a certain size, and for larger fields it tries to find a subfield smaller than 
this size. If this is possible the arithmetic in the larger field will be very fast. To 
avoid jumps in the figure, and to properly measure field operations, we have turned 
off this optimisation, and have in each case divided by the time required for 10 
multiplications of random pairs of field elements. 




Figure 5.1. Benchmark of stabiliser computation 



In the same fashion, we have benchmarked the conjugation algorithm from The- 
orem 14.121 This is shown in Figure 15.21 

All benchmarks were carried out using Magma V2.18-2, Intcl64 flavour, on a PC 
with an Intel Core2 CPU running at 2 GHz, and with 2 GB of RAM. The largest 
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Figure 5.2. Benchmark of Rcc conjugation 



value of m in the tests was 20, since discrete logarithm computations became very 
slow in F343 . 
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